AWS Well Architected Framework · 2016-07-08 · • The Well-Architected Framework • Key Best...
Transcript of AWS Well Architected Framework · 2016-07-08 · • The Well-Architected Framework • Key Best...
AWS Well Architected Framework
What We Will Cover
• The Well-Architected Framework
• Key Best Practices
• How to Get Started
• Resources
Main Pillars
Security Reliability Performance
Efficiency
Cost
Optimization
Account
Access Keys
Network
Services
High Availability
Load Balancing
Backup and DR
Auto Scaling
Right-Sizing
Benchmarking
Load Testing
Monitoring
Managed-
Services
Cost Awareness
Tagging
General Design Principles
• Secure from the Start
• Stop Guessing your Capacity Needs
• Test Systems at Production Scale
• Lower the Risk of Architecture Change
• Automate to make Architectural Experimentation Easier
• Allow for Evolutionary Architectures
Security
Security Reliability Performance
Efficiency
Cost
Optimization
Security
The ability to protect information, systems and assets while
delivering business value through risk assessments and
mitigation strategies.
• Data Protection
• Privilege Management
• Infrastructure Protection
• Detective Controls
Security: Shared Responsibility
AWS Foundation Services
Compute Storage Database Networking
AWS Global
InfrastructureRegions
Availability ZonesEdge
Locations
Client-side Data
Encryption
Server-side Data
EncryptionNetwork Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, and Firewall Configuration
Customer applications & contentC
usto
mers
Security: Credentials
• As soon as you Create a new AWS Account Enable MFA
• Use Identity and Access Management Service (IAM) to
Create Users, even if its only 1
• Protect all of your Credentials
• DO NOT place Access Keys in Code…EVER!
'key' => '1111-2222-3333-4444-5555’,'secret' => 'aaaa-bbbb-cccc-dddd-eeee',
Security: EC2 Role
1: Create EC2 roleCreate role in IAM service with
limited policy2: Launch EC2 instanceLaunch instance with role
3: App retrieves credentialsUsing AWS SDK application
retrieves temporary credentials
4: App accesses AWS resource(s)Using AWS SDK application uses
credentials to access resource(s)
Instance
Security: Network and Boundary
• Security Groups are Built-in Stateful Firewalls
• Divide Layers of the Stack into Subnets
• Use a Bastion Host for Access
• Implement Host Based Controls
Two Layers with Security Groups
Availability Zone A
User
Availability Zone B
WEB
Server
RDS DB Instance
Web Subnet A
DB Subnet A
WEB
Security Group
DB
Security Group
Security: Instance, Monitoring and Auditing
• Configure Encryption Everywhere Possible
• Configure CloudTrail Service
• Configure VPC Flow Logs
• Collect all Logs Centrally and Alert
Virtual Private
Cloud
Identity &
Access
Manager
Key
Management
Service
CloudTrail AWS
Config
Reliability
Security Reliability Performance
Efficiency
Cost
Optimization
Reliability
The ability of a system to recover from infrastructure or
service failures, dynamically acquire computing resources
to meet demand and mitigate disruptions such as
misconfigurations or transient network issues.
• Foundations
• Change Management
• Failure Management
Reliability: High Availability
• No Single Point of Failure
• Multiple Availability Zones
• Load Balancing
• Auto Scaling and Healing
Multi AZ, Load Balanced, Auto Scaled
Availability Zone A
Amazon
Route 53User
Availability Zone B
Elastic Load
Balancing
WEB
ServerWEB
Server
WEB
Server
WEB
ServerWEB
Server
WEB
Server
RDS DB Instance
StandbyRDS DB Instance
Active
Auto Scaling
Group
Web Subnet A Web Subnet B
DB Subnet A DB Subnet B
Amazon
S3
Amazon
CloudWatch
Reliability: Monitoring and Alerting
• Monitoring
• Notification
• Automated Response
• Review
Amazon
CloudWatch
CloudWatch
Alarm
Amazon
SNS
Amazon
CloudWatch
Logs
AWS
Lambda
Reliability: Backup and DR
• Define Objectives
• Backup Strategy
• Periodic Recovery Testing
• Automated Recovery
• Periodic Reviews
Performance Efficiency
Security Reliability Performance
Efficiency
Cost
Optimization
Performance Efficiency
The ability to use computing resources efficiently to meet
system requirements and to maintain that efficiency as
demand changes and technologies evolve.
• Compute
• Storage
• Database
Performance Efficiency: Right Sizing
• Reference Architecture
• Quick Start Reference Deployments
• Benchmarking
• Load Testing
• Cost / Budget
• Monitoring and Notification
Performance Efficiency: Proximity and Caching
• Content Delivery Network (CDN)
• Database Caching
• Reduce Latency
• Pro-active Monitoring and Notification
Amazon
CloudFront
Amazon
ElastiCache
RDS DB
instance read
replica
Multi AZ, Load Balanced, Auto Scaled, Caching
Availability Zone A
Amazon
Route 53UserAmazon
CloudFront
Availability Zone B
Elastic Load
Balancing
RDS DB Instance
Read Replica
WEB
ServerWEB
Server
WEB
Server
ElastiCache RDS DB Instance
Read Replica
WEB
ServerWEB
Server
WEB
Server
ElastiCacheRDS DB Instance
StandbyRDS DB Instance
Active
Auto Scaling
Group
Web Subnet A Web Subnet B
DB Subnet A
AWS WAF
Amazon
S3
Amazon
CloudWatch
DB Subnet B
Cost Optimization
Security Reliability Performance
Efficiency
Cost
Optimization
Cost Optimization
The ability to avoid or eliminate unneeded cost or
suboptimal resources.
• Matching Capacity and Demand
• Cost-effective Resources
• Expenditure Awareness
• Optimising Over Time
Cost Optimization: Capacity Matching
• Demand Based
• Queue Based
• Schedule Based
• Appropriately Provisioned
• Instance Matching
• Pro-active Monitoring and Action
Amazon
SQS
Optimized
instance
Amazon
SWF
Cost Optimization: Pricing Model
• On Demand
• Reserved
• Spot
• Automated Turn Off
Cost Optimization: Managed Services
• Analyze Available Services
• Appropriate Databases
• Consider Application Level Services
• Automation: CloudFormation, Elastic Beanstalk
Amazon
RDS
Amazon
DynamoDB
Amazon
Redshift
Amazon
ElastiCache
AWS
CloudFormation
AWS
Elastic
Beanstalk
Amazon
Elastisearch
Service
Cost Optimization: Manage Expenditure
• Tag Resources
• Track Project Lifecycle and Profile Applications
• Monitor Usage and Spend
• Cost Explorer
• Partner Tools
Trusted Advisor
Trusted Advisor
Enterprise-Level Support
Offers resources for customers running business & mission-
critical workloads on AWS, as well as any customers who:
• Focus on proactive management to increase efficiency and
availability
• Build well-architected, well-operated solutions
• Leverage AWS expertise to support launches and
migrations